- An SSLEngine implementation is now available. It has been tested to
work for an Apache Tomcat (8.5.13) NIO connector, specifically the
org.apache.coyote.http11.Http11NioProtocol protocol. A caveat:
server-side currently only works with the BCJSSE KeyManagerFactory, so a
jre/lib/security/java.security entry is needed:
ssl.KeyManagerFactory.algorithm=PKIX

- SNI enabled for clients. SSL sockets and engines created using a
fully-qualified domain name will pass it as the host_name in a Server
Name Indication extension. As with SunJSSE, this is enabled by default,
but can be disabled by setting the jsse.enableSNIExtension system
property to "false".

- The default enabled cipher suites list was extended and now includes
ECDHE_ECDSA, ECDHE_RSA and RSA key exchanges combined with either CHACHA
or AES ciphers.

- An SSLEngine implementation is now available. It has been tested to work for an Apache Tomcat (8.5.13) NIO connector, specifically the org.apache.coyote.http11.Http11NioProtocol protocol. A caveat:
server-side currently only works with the BCJSSE KeyManagerFactory, so a jre/lib/security/java.security entry is needed:
ssl.KeyManagerFactory.algorithm=PKIX

- SNI enabled for clients. SSL sockets and engines created using a fully-qualified domain name will pass it as the host_name in a Server Name Indication extension. As with SunJSSE, this is enabled by default, but can be disabled by setting the jsse.enableSNIExtension system property to "false".

- The default enabled cipher suites list was extended and now includes ECDHE_ECDSA, ECDHE_RSA and RSA key exchanges combined with either CHACHA or AES ciphers.